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(g) Logic circuit having error detection function, redundant resource management method, and fault 
tolerant system using It 

(g) The present invention relates to a self-checking circuit and a method of its configuration. More 
particularly, it concerns a self-checking circuit useful for highly reliable system configuration. 

As for a logic circuit having error detection function that has function blocks of feeding out a plurality 
of signals at least duplexed, compares the output signals of the function blocks, and detects an error on 
the basis of results of the comparison, it comprises synthesizing means provided to superimpose 
inherent waveforms assigned in advance to the respective output signals of the function blocks onto the 
output signals of one of the function blocks. The inherent waveforms are orthogonal waveforms 
generated by orthogonal waveform generator circuit. The logic circuit also comprises comparison 
means for comparing a signal output of the synthesizing means with the signal output of the other 
function block to detect the error. The whole circuit including the function blocks are judged normal 
only if the waveforms inherent to the both output signals exist 
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The present invention relates to a self-checking circuit and a method of its configuration. More particularly, 
it concerns a self-checking circuit useful for highly reliable system configuration. 

Also, the present invention relates to a management method of redundant resource, and more particularly 
concerns an effective use of the redundant resource in a fault tolerant computer system. 

5 Control systems for airplanes, trains, automobiles, and similar means of transportation are increasingly 

electrolyzed as advanced control performances are needed to increase energy (fuel) efficiency, operation- 
ability, comfortability, and their speeds. To run the means of transportation safely, any of the control systems 
are forcefully required to be high in the reliability and the fail-safe performance that is no dangerous output is 
caused by occurrence of fault 

10 To assure the reliability and fail-safe performance of the control system, it is important the control system 

to have a capability of detecting the occurrence of fault, that is, a self-checking capability. To accomplish the 
self-checking capability, the so-called redundant code is generally used that has a hamming distance of higher 
than 2 between codes, such as the M-out-of-N code and two-rail logic (1-out-of-2 code) that can be regarded 
as a kind of the M-out-of-N code. The redundant code can perfectly detect the fault as long as it is a single 

is fault. However, it cannot always detect a multiple of faults. If the self-checking circuit is accomplished in an 
LSI, a fault may spread over the whole chip. This would be a phenomenon equivalent to the occurrence of the 
multiple of faults. Assuming errors be random, Eq. 1 below gives a probability ti of wrong output signals due 
to the fault coincide with code points in a specif ic output code space O. 

r] = No/Nu (1) 

20 where No is number of the code points in the output code space O and Nu is number of the code points. There- 
fore, it is a problem how to increase Nu to No to increase the detection rate. 

There are the following two methods to accomplish the self-checking circuit having such redundant codes 
as described above. 

(1) A method of forming the whole circuit of redundant codes. 
25 (2) A method of replicating function blocks and using a self-checking comparison circuit formed of redun- 

dant codes to compare signals output of the function blocks. 

The method (1 ) above is involved in problems that the circuit must be newly designed to make self-checking 
and it is difficult to optimize its operation speed. 

On the other hand, the method (2) has the advantage that usual processor, memory, and other devices 
30 can be used for the function blocks since only the comparison circuit should be newly designed in redundant 
logic. This can decrease the development cost to a great extent It also can easily make the operation speed 
high since advanced semiconductor techniques can be used. The self-checking coverage of the method (2) 
greatly depends on that of the comparator. 

Accordingly, to accomplish the self-checking comparator, it was proposed to use redundant codes, such 
35 as the M-out-of-N code and two-rail logic (1-out-of-2 code), for the logic itself used in the comparison circuit 
See, for example, Yoshihiro Toma, "Theory of Fault Tolerant System," Association of Electronics, Information 
and Communications, 1990. To accomplish the self-checking comparator, they connected the RCCO (Reduc- 
tion Circuit for Checker Output) circuit shown in Fig. 2.5 on page 31 to a tree structure as shown in Fig. 2.6 
on page 32. 

40 The probability of fault occurring in the circuits to be compared is low. It is therefore rare that the signals 

to be compared do not coincide. This means that it is rare that a path to be activated upon detection of the 
inequality is activated. If there occurs such a mode of fault as fixing so that the signal output of the path always 
means the 'equality/ it is feared that the fault is made latent The comparison circuit therefore, does not only 
use the redundant code described above, but also uses a frequency logic, alternating checking method, or 

45 similar dynamic logics of alternating signal levels as a signal indicating that the circuit is normal (hereinafter 
referred to as the signature signal), in place of the binary level logic of 0 and 1. As an example, we can use a 
method of repositioning a permuterfor injecting a simulated fault for testing into the RCCO shown in Figs. 2.15 
and 5.16on page42 in theabovementioned "Theory of Fault Tolerant System." With the method, an alternating 
output signal is obtained if the operation is normal, the alternating output signal is not obtained, on the other 

so hand, if a fault is caused by change of a threshold value of a semiconductor device changes or a fault is due 
to change of a dc characteristic of the device, such as a failure stacked at 0 or 1. The method also injects the 
simulated fault periodically to always confirm operation of the error detection feature. These advantages can 
make the circuit increase the self-checking performance to a great extent 

The above-described prior art has the d isadva ntage that adverse effect of crosstalk or shortcircuit between 

55 wiring nets in the semiconductor device occurs likely. If a fault of the semiconductor device causes crosstalk 
between the wiring nets or shortciurcuit between the wiring nets of if migration of a wiring material or poor 
insulation between insulation layers causes shortcircuit, the wiring net that should not have no signature signal 
in itself may have a signature signal of another wiring net induced thereinto adversely (hereinafter referred to 
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as the counterfeit signature). In general, the fail-safe circuit has the signature signal to indicate that the circuit 
is normal. The circuit may recognize that it is normal in spite of the counterfeit signature due to the crosstalk 
or the shortcircuit It is feared that the fail-safe performance of the circuit is lost 

To prevent such an occurrence of crosstalk and shortcircuit, the prior art has a special design restriction 
5 in the wiring spaces However, this method has to form transistors and wiring lines on the semiconductor sub- 
strate on the basis of the restrictions quite different from the general semiconductors. It cannot have any of 
the convenience of prior arts and automatic designing tools. Most of designing works must be made manually. 

Further, computers and transportation controls bear central roles for finance and similar social key indus- 
tries and parts involved in human life in controlling spaceships and airplanes in recent years. System break- 
to down or wrong system operation due to fault of the computers is spread to fatal effects in the society. In such 
a trend, high reliability of the computers is increasingly needed. 

To make the computers reliable, there is generally used means of redundancy by providing extra compute 
and units forming the computer in advance. 

On the other hand, the redundant hardware to make the computer highly reliable results in great increase 
15 of costs, dimensions, weight, and power consumption. To enhance the investment effect or the cost perfor- 
mance, of the fault tolerant computer system, it is needed to increase the redundant hardware resource effec- 
tively with respect to the reliability and processing performance. 

There is a method of redundant resource management to use the redundant hardware resource. That is 
proposed by Jean-Charles Fabre, et al., "Saturation: reduced idleness for improved fault-tolerance," Proc. 
20 FTCS-18 (The 18th Infl Symp. on Fault-tolerant Computing), pp. 200-205, 1988. 

The prior art by Jean-Charles Fabre, et al., mentioned above has MNC (minimum number of copies), or 
redundant copies, provided in advance to be simultaneously executed for each of tasks. If number of idle nodes 
(redundant computer modules) is larger than the MNC at the time of arrival of a task execution request the 
idle nodes start execution of the task. If the number of idle nodes is smaller than the MNC, the system waits 
25 until current execution of the tasks ends to have a required number of idle nodes. 

The prior art by Jean-Charles Fabre, et al., mentioned above is a useful method of redundant resource 
management for an OLTP (online transaction processor) that has the task start request made frequently. 

However, the prior art lacks of sufficient consideration in occurrence of a fault and further occurrence of 
multiple of faults in view of making highly reliable the real time control computer. This is due to the fact that 
30 the proposed prior art is based on the assumption that the task execution time is sufficiently shorter than the 
MTBF (mean time between failures) with respect to the operational characteristic of the OLTP that the trans- 
action ends in a short time. However, the real time control computer often has tasks executed for a long period 
of time. The computer of an airplane, spaceship, etc., for example, must not only run for the mission time nor- 
mally, but also must support even halting the mission. For the reason, the task execution time cannot be ignored 
35 as compared with the MTBF. We must take in account the occurrence of the fault and further occurrence of 
multiple of faults. 

The above-described prior art has the number of assig ned computer modules managed only upon the time 
of task execution start. Therefore, no computer modules are newly added even if the task executing computer 
modules is caused to fail to function by occurrence of fault during execution of the task. This means that if the 

40 fault occurs during execution of the task, this is continued to execute while the degree of redundance is de- 
creased that is the number of computer modules that is redundantly executing the task. The reliability of the 
task is lost If one of two computer modules redundantly executing a task fails to function, for example, should 
a second fault occur continually, the task is halted to execute. 

A first advantage of the present invention consists in particular in the fact that a logic circuit having error 

45 detection function that has function blocks of feeding out a plurality of signals at least duplexed, compares the 
output signals of the function blocks, and detects an error on the basis of results of the comparison, comprises 
synthesizing means provided to superi mpose inherent waveforms assigned in advance to the respective output 
signals of the function blocks onto the output signals of one of the function blocks, and comparison means for 
comparing a signal output of the synthesizing means with the signal output of the other function block to detect 

so the error. 

For a semiconductor device, as an example, a inherent signal waveform is assigned to each of wiring nets 
corresponding to the above-mentioned output signals as a signature. The signature should be regarded au- 
thentic only if the signal waveform coincides with the one inherent to the wiring net 

To distinguish an authentic signature from counterfeit signature, it is desirable to make the signatures in- 
55 herent to wiring nets not correlate to one another. Orthogonal functions are welt known not to correlate to one 
another. Functions fi(x) and fj(x) are orthogonal to each other when 
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J fi (x) -fj (x) dx=o egr. 2 



The wavelet analysis that can analyze a signal waveform in a time-frequency domain is noted recently in 
place of the conventional Fourieranalysis. The original wavelet also is an orthogonal function. Atrianguiarfunc- 
tion and wavelet are analog functions. To use these in a digital circuit they should be made binary. 
10 With the first feature of the present Invention, for a semiconductor device, as an example, the inherent 

signal waveform is assigned to each of the wiring nets as the signature. The signature should be regarded 
authentic only if the signal waveform coincides with the one inherent to the wiring net. If a fault of the semi- 
conductor device causes crosstalk between the wiring nets of if migration of a wiring material or poor insulation 
between insulation layers causes shortcircuit, the wiring net may have a counterfeit signature signal of another 
15 wiring net induced thereinto adversely. Should it happen, the counterfeit signature can be distinguished from 
the authentic signature since the counterfeit signature does not coincide the signal waveform inherent of the 
wiring net This means that the present invention needs no special wiring restriction to prevent crosstalk or 
shortcircuit that are indispensable to the prior arts to fully detect faults. In addition, the present invention as- 
sures the fail-safe performance. 
20 The effectiveness of said conventional technology is based on the presumption that the fault detected in 

either of the said atleast dualized function blocks is independent of the other function block. In other words, 
it is premised that the same fault never occurs in both of at-least dualized function blocks at the same time. If 
the same fault occurs in both of the dualized function blocks at the same time, the fault output from both of 
the said dualized function blocks match and it becomes impossible to detect the fault by comparing them. This 
25 becomes a big problem when dualized function blocks are arranged in the same semi-conductor chip. Such 
problems may be solved by providing the following control methods according to the invention. 

Thefollowing means that is called diversity may be taken to guarantee the independence of faults to occur 
in either of the said at-least dualized function blocks. 

30 (1) Design diversity 

The design diversity is an effective means to eliminate the influence of faults caused by designs. Espe- 
cially, N- Version Programming for software is well known. The IM-Version Programming is a method to execute 
N versions of a program that are developed with the same specifications concurrently. Also in case of hard- 
35 ware, this design diversity can be materialized by developing circuits with the same specifications in N ways. 
According to this method, however, the number of processes and expenses are needed by N times that of an 
ordinary method for the design and development Thus, it is not effective so much. 

To reduce the number of processes and expenses in designing hardware, therefore, the following method 
is taken in this invention. 

40 The main current to design modern hardware is using the HDt (Hardware Description Language) to create 

a file (logical description) that describes the functions and specifications of the subject logical circuits and cre- 
ating another file (logical net list) that describes the connections of the said logical circuits using a logical syn- 
thesis tool on the basis of the HDL In addition, the said logical net list file is converted to a (physical net list) 
file that describes the wiring and layout of transistors on the actual semi-conductor chip using an auto wiring 

45 tool to create the necessary masks and manufacture semiconductor elements. 

In this case, the design constraints such as the delay time, occupation area, etc., as well as the subject 
algorithm can be changed for logical synthesis and automatic wiring to diversify the target logical net list and 
physical net list. 

The said dualized function blocks can thus be materialized in the subject semiconductor chip on the basis 
so of the logical description of the said logical blocks by selecting 2 physical net lists from among the said diver- 
sified plural physical net lists. 

To select 2 physical net lists from among many, it is only needed to define a correlation function that in- 
dicates how much those physical net lists are resemble and select a combination of the physical net lists so 
that the correlation function may be minimized. In this case, fault characteristics of the semiconductor must 
55 be affected in the correlation function. In general, wire intersection is pointed out as a weak point of semicon- 
ductors. At a wire intersection, two wires are separated only by a thin film oxide, so short-circuits between 
wires and shorts such as crosstalk, etc. are apt to occur. Furthermore, since a wire crosses over the other at 
such a wire intersection, the wire located at the difference of level is often cut off with stress. In other words, 
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the status of the intersection between wires affects the fault characteristics of semiconductors. The correlation 
function in which the fault characteristics of the semi-conductor is affected can thus be defined as follows. 

[Formula 1] 



m n 

i-l Jj'l 

However, the 4>ijK must indicate whether an intersection exists between wiring nets and be defined as fol- 
• lows. 



[Formula 2] 

, 0 : no wiring nets aj - intersecting 
7** k 1 : wiring nets i3 intersecting 



(2) Time diversity 

A fault that occurs in either of at-least dualized function blocks due to electric noise, etc. can be prevented 
from affecting the other even when they are designed in the same way, by delaying the timings of their oper- 
ations individually. And to material such a time diversity, the clock or input signal that decides the timing of a 
dualized function block operation is entered only to one of the dualized function blocks through a delay circuit 
When comparing the output signals from those function blocks, only the signal from the other function block 
can be output through the delay circuit to compare it with that of the former function block in the comparison 
circuit 

(3) Space diversity 

When separating one of the said at-least dualized function blocks from the other, it becomes possible to 
prevent temporary faults that occur in either of those function blocks due to electrical noise, cosmic rays, ra- 
diation, etc., as well as due to the damage of the subject semi-conductor chip from affecting the other. When 
a function block is dualized in a chip and each is checked by itself, the dualized function blocks should be ar- 
ranged in the same direction and in the same pattern. With this, the effectiveness of the space diversity is 
maximized. The corresponding sections of the dualized function blocks can therefore have the same distance. 
As a result it can be prevented that the said corresponding sections of the dualized function blocks come close 
to each other excessively to deteriorate the effectiveness of the space diversity. 

According to this invention/the design diversity, the time diversity, and the space diversity can guarantee 
the independence of faults to be detected in any of the said at-least dualized function blocks by comparing 
the outputs from both the function blocks. With this, it is eliminated that the same type faults occur at the same 
time with a correlation in both the dualized function blocks. It also becomes possible to detect faults by com- 
paring the outputs from those function blocks. 

A second advantage of the present invention consists in particular in the fact that a distributed fault tolerant 
system having a plurality of computer modules assigned to execute a plurality of tasks, comprises selection 
and execution means that if fault occurs in any of the computer modules of the system, selects at least one 
of the computer modules having the tasks assigned thereto other than the task that the broken computer mod- 
ule, assigns to the selected computer module the task that the broken computer module has executed, and 
makes the selected computer module execute the task. 

Each of the computer modules of the present invention operates as follows: 

(1) The computer module broadcasts its fault occurrence information (fault detection results) and process 
results to the other computer modules at proper timing (check points) during processing the task. 

(2) The computer modules calculate their respective evaluation functions Fij, where i is a processor number 
and j is a task number. The evaluation function Fij can be regarded as a margin for the responsibility to 
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be taken on by the computer module for the task.lt is based on equality or inequality of the fault occunence : 
information (fault detection results) and process results broadcast from the other computer modules. 
(3) Each of the computer modules decides task j for minimizing the evaluation function Fij as a process 
to execute before switching the task in process to the process to be executed. 
5 The evaluation function Fij represents a margin of reliability of the task. Therefore, it should be determined 

so that Fij can be low as importance of the task is high, Fij can be low as responsibility of the computer module 
for the task is high, and Fij can be high as the reliability of the task is high. 

An example of the evaluation function Fij meeting the conditions mentioned above is 

Fij = Lrj - Lthij, 

10 or 

Fij = Lrj / Lthij 

where Lthij is a threshold value of the reliability level of task j in the computer module i, Lrj is the reliability 
level of task j, i is an own computer module number, and j is the task number. 

Another example of the evaluation function Fij meeting the conditions mentioned above is 
is Fij = log{(1 - LthijyPej} 

where Pej is a probability of wrong calculation results of task j. 
It should be noted that Lthij that is the threshold value of the reliability level of task j is different depending 
on the importance of the task. It is set to high value as the task is needed to have high importance or high 
reliability. .... 
20 Further, Lthij has to be different depending on the computer module. It has to be high as the responsibility 

of the computer module is high for the task. 

With the second feature of the present invention, the computer modules are assigned to the tasks so that 
the evaluation functions Fij can be made to always balance. This will not make Fij of a specif ic task jut out too 
high or low. That is, if there is the specif ic task of low reliability level (hereinafter referred to as the endanger«l 
25 task) due to occurrence of fault during operation, a computer module in execution of another task having margin 
of reliability is made to execute the endangered task. This can prevent the reliability level of the specif ic task 
alone from being lowered. For the reason, the second feature can countermeasure any occurrence of fault dur- 
ing execution of the tasks so that the responsibility given to the system can fulfilled while the reliability is kepL 
Also, since Lthij is set high as the importance of a task is high, Fij can be balanced with the other tasks at 
30 higher Lrj. For the reason, number of computer modules should be assigned much to the task the importance 
of which is high to keep higher reliability level Lrj. 

Further, since each of the computer modules can autonomously decide the task to execute, it is needed 
to have a central arrangement for assigning task executions, thereby causing no single fault points. This means 
the single fault will not affect the whole system, thereby being capable of increasing the system reliability. 
35 The above and other objects, features and advantages of the present invention will be apparent from the 

following detailed description of the preferred embodiments of the invention in conjunction with the accompa- 
nying drawings, in which: 

Fig. 1 depicts a circuit diagram illustrating a basic embodiment of the present invention; 
Fig. 2 depicts a circuit diagram illustrating an embodiment corresponding to function blocks; 
40 Fig. 3 depicts a circuit diagram illustrating an embodiment of the present invention having a comparator 

formed of the RCCO tree; 

Fig. 4 depicts a circuit diagram illustrating an embodiment of the present invention in which signals fed 
from a function block B also have an orthogonal waveform added thereto; 

Fig. 5 depicts a circuit diagram illustrating an embodiment of the present invention in which orthogonal 
45 waveform generating circuits are duplexed; 

Fig. 6 depicts a signal timing chart illustrating the orthogonal function waveforms; 

Fig. 7 depicts a circuit diagram illustrating an embodiment of the orthogonal waveform generator circuit; 

Fig. 8 depicts a block diagram illustrating an embodiment of an integrator circuit; 

Fig. 9 depicts a timing chart illustrating the orthogonal function waveforms and signature output signal; 
so Fig. 10 depicts a timing chart illustrating the orthogonal function waveforms and signature output signal 

at a time of fault; 

Fig. 11 depicts a block diagram illustrating an embodiment of another integrator circuit; 

Fig. 12 depicts another timing chart illustrating the orthogonal function waveforms and signature output 

signal at a time of fault; 

55 Fig. 13 depicts a block diagram illustrating an embodiment of another integrator circuit; 

Fig. 14 depicts another timing chart illustrating the orthogonal function waveforms and signature output 
signal; 

Fig. 15 depicts a detailed circuit diagram illustrating an embodiment of the present invention; 
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Fig. 16 depicts a block diagram illustrating a self-checking computer made up of the present invention; 
Fig. 1 7 depicts a block diagram illustrating a fault tolerant computer made up of the self-checking computer, 
Fig. 18 depicts a block diagram illustrating a switching control circuit; 

Fig. 1 9 depicts a circuit diagram illustrating a self-checking comparator according to the present invention; 
5 Fig. 20 depicts a block diagram illustrating a configuration of a fault tolerant system according to the pres- 

ent invention; 

Fig. 21 depicts a conceptually functional outline illustrating a configuration of a computer module of the 
present invention; 

Fig. 22 depicts a conceptually functional outline illustrating another configuration of the computer module 
10 of the present invention; 

Fig. 23 depicts a conceptual outline illustrating an embodiment of the present invention; 

Fig. 24 depicts a conceptual outline illustrating another embodiment of the present invention; 

Fig. 25 depicts a conceptual outline illustrating another embodiment of the present invention; 

Fig. 26 depicts a flow chart illustrating condition judgement features that decide a task to be executed by 
15 the present invention; 

Fig. 27 depicts a timing chart illustrating instants of switching a task; 

Fig. 28 depicts a flow chart illustrating condition judgement features having dead-zone that decide a task 
to be executed by the present invention; 

Fig. 29 depicts a timing chart illustrating a change of Fij without dead-zone; 
20 Fig. 30 depicts a timing chart illustrating a change of Fij with dead-zone; 

Fig. 31 depicts a graph illustrating number of normal computer modules assigned with time; 

Fig. 32 depicts a block diagram illustrating an embodiment of averaging Lrj; 

Fig. 33 depicts a timing chart illustrating a change of Fij without averaging Uj; 

Fig. 34 depicts a timing chart illustrating a change of Fij with averaging Lrj; 
25 Fig. 35 depicts a timing diagram illustrating an embodiment of the present invention for relaxing increases 

of amount of communications among the computer modules; 

Fig. 36 depicts a flow chart illustrating a judgement whether or not broadcasting should be made; 
Fig. 37 depicts a flow chart illustrating another judgement whether or not broadcasting should be made; 
Fig. 38 depicts a block diagram illustrating an embodiment of the present invention for application to an 
30 adaptive-control system; 

Fig. 39 depicts a table illustrating how the computer modules are assigned; 

Fig. 40 depicts a cross-sectioned view illustrating a servo-motor system as an embodiment of the present 
invention; 

Fig. 41 depictsa longitudinally sectioned view taken across A-A' in Fig. 40 illustrating the servo-motor sys- 
35 tern; 

Fig. 42 depicts a circuit diagram illustrating a circuit for the servo-motor system; and 

Fig. 43 depicts a block diagram illustrating a system configuration in use for the servo-motor systems; 

Fig. 44 is a design automation by automatic logical synthesis tool and automatic wiring tool; 

Fig. 45 is a diversified design by diversifying constraints; 
40 Fig. 46 is an example of extracting some design results from diversified design results; 

Fig. 47 is an example of diversifying an operation time; 

Fig. 48 is another example of diversifying an operation time; 

Fig. 49 is still another example of diversifying an operation time; and 

Fig. 50 is an embodiment of a layout in a chip. 
45 The embodiments of the invention will be set forth in detail with reference to the accompanying f igures 

and in the following three chapters of (1) Self-checking logic, (2) Redundancy resource management, and (3) 
Diversities. 

1 . Self-checking logics 

50 

The following describes in detail self-check comparators that are embodiments according to the present 
invention, by reference to Figs. 1 to 19. 

Fig. 1 depicts a circuit diagram illustrating the comparator that is an embodiment of the present invention. 
In operation, signals aO to an (10 to 1n) fed from a function block A have errors injected thereto for testing by 
55 permuters 80 to 8n according to an orthogonal waveform (test pattern) generated by an orthogonal waveform 
generator circuit 100. The signals having the errors become error-injected signals a0* to an' (10' to 1n*). Note 
that the permuters 80 to 8n, as shown in the figure, are exclusive-ORes that has a feature capable of injection 
of pseudo-errors for testing. In turn, the error-injected signals 10* to 1n' are compared with signals bO to bn 
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(20 to 2n) fed from a function block B by comparison circuits 30 to 3n. Comparison results 40 to 4n are collected 
in a integrator circuit 5. The integrator circuit 5 can feed out a signature signal of normality to a signature output 
6 only when the comparison results 40 to 4n are normal signatures. 

Let ai* represent any one of the error-injected signals aO' to an' (10' to 1n'). Then, 
5 aP = ai A pi (3) 

where i is a signal number of 0 to n, pi is the orthogonal waveform (test pattern) generated by the or- 
thogonal waveform generator circuit 1 00, and A is an operator for the exclusive-ORes. Also let ci represent any 
one of the comparison results cO to cn (40 to 4n). Then, 

cjl • ai ' bx 

= ai^pi^bi .. (4) 

15 If the function blocks A and B are normal, ai = bi. Then, ai*bi = 0. Hence, 

ci = pi (5) 

Since any ones of pi with i being 1 to n are orthogonal to each other, ci also is orthogonal with cj, where i 
is not equal to j. Assuming ai and pi are statistically independent, or orthogonal, ai and ai* are orthogonal to 
each other, and bi and ai* also are orthogonal to each other. In addition to the orthogonal waveforms, the group 
20 of waveforms include correlated waveforms of ai with bi and pi with ci. In order to prevent the counterfeit sig- 
nature from being generated by the crosstalk or the shortcircuit mentioned previously, the circuit layout should 
be designed so as to separate the signal ai from bi and the signal pi from ci physically. This will keep generation 
of the counterfeit signature due to the crosstalk or the shortcircuit from affecting the function. An embodiment 
of the circuit layout will be discussed later by referring to Fig. 15. 
25 The embodiment of the present invention described above can provide a fully self-checking comparator 

without any special wiring limit 

The function blocks A110andB111 shown in Fig. 2 do not always feed out the effective signals aO to an 
(10 to 1n) and bO to bn (20 to 2n), but often feed out the together with strobe signals that indicate that the 
signals aO to an (10 to 1n) and bO to bn (20 to 2n) are effective. In those cases, as shown in Fig. 2, latch 120 
30 and 121 should be held when the strobe signals 130 and 131 make effective the signals aO to an (10 to 1n) 
and bO to bn (20 to 2n). The kind of signals used for the strobe signals in a circuit having a microprocessor 
used is different depending on the microprocessor. The strobe signals available for an address signal and a 
control signal include AS (address strobe) and BS (bus start), and the ones for data signals are TA (transfer 
acknowledge) and DTACK (data transfer acknowledge). 
35 Fig. 3 depicts a circuit diagram illustrating an embodiment of the present invention having a comparator 

formed of the RCCO tree described in "Theory of Fault Tolerant System," Yoshihiro Toma, Association of Elec- 
tronics, Information and Communications, 1 990. In operation, signals aO to an (1 0 to 1 n) fed from the function 
block A have errors injected thereto for testing by the permuters 80 to 8n according to the orthogonal waveform 
(test pattern) generated by the orthogonal waveform generator circuit 100. The signals having the errors be- 
40 come error-injected signals 10' to 1n\ which are fed to the RCCO tree 3. Note that in the RCCO tree, the sig- 
nature output 6 also is of binary logic. 

The RCCO tree 3, like the embodiment in Fig. 1 , has an input and output signals made orthogonal therein 
to prevent shortcircuit from generating counterfeit signature. 

The embodiments given below are described on the basis of the comparison circuit in Fig. 1. The compar- 
45 ison circuit of the RCCO tree can be embodied in a similar way unless otherwise specified. 

Fig. 4 depicts a circuit diagram illustrating an embodiment of the present invention in which signals bO to 
bn (20 to 2n) fed from a function block B have errors injected thereto by permuters 90 to 9n according to an 
orthogonal waveform generated by an orthogonal waveform generator circuit 100. The embodiment can pre- 
vent a stack failure input to the comparison circuit from becoming latent if bi is kept at the same value for a 
so' long period of time. If bi is an address signal and a program uses addresses in a specific area only, for example, 
a high bit of the address is kept at the same value for a long period of time. 

Fig. 5 depicts a circuit diagram illustrating an embodiment of the present invention in which the function 
blocks A and B are associated with independent orthogonal waveform generator circuits 1 00 and 1 01 , respec- 
tively. This embodiment having orthogonal waveform generator circuits 100 and 101 duplexed to detect and 
55 report any of failures of the orthogonal waveform generator circuits 100 and 101. The embodiment also can 
make use of a superiority of independency of the two systems on the circuit layout that will be discussed later 
by referring to Fig. 15. 

Fig. 6 depicts a signal timing chart illustrating an embodiment of the present invention that uses waveforms 
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of which pulses are turned on at time slots inherent to wiring nets. The figure shows output patterns pO to pn • 
of the orthogonal waveform generator circuit 100 and comparison results cO to cn (40 to 4n) when both the 
function blocks A 110 and B 111 are normally. 

Fig. 7 depicts a circuit diagram illustrating an embodiment of the orthogonal waveform generator circuit 
5 1 00 for generating the patterns as in Fig. 6. In operation, if the system is power on to reset, a reset signalis 
made active to preset a flip-flop 1001 to '1' as initial value, then resets flip-flops 1002 to 100m to '0* as initial 

value. That is, the train of flip-flops 1 001 to 1 00m are set to 1 , 0, 0, 0, 0 and 0. After the power-on resetting, ; 

a CLK (clock) signal successively shifts the pattern of 1 , 0, 0, 0, 0 and 0 to generate the pattern as in Fig. 

6. The flip-flops 1 001 to 1 00m are made redundant and if majority outputs of each of the redundant flip-flops 
10 are taken. Then, that can prevent software errors of the flip-flops due to noises and radioactivity and temporary 
errors, such as transient fault, called the single event upsets. That also can increase the reliability. Of course, 
the orthogonal waveform generator circu it 1 00 also can be used in the RCCO tree 3 in Fig. 3. 

Fig. 8 depicts a block diagram illustrating an embodiment of an integrator circuit 5 useful for the pattern 
in Fig. 6. Such a simple OR as in Fig. 8 can make different waveforms of the patterns in Fig. 6. This allows us 
is to know occurrence of failure. Even if shortcircuit occurs among the wiring nets, an authentic signature will 
not appear on the signature output 6 wrongly, or no counterfeit signature can be fed out, because there are 
no other wiring nets that use the authentic signature for p2 and c2. This means that even if a counterfeit sig- 
nature is generated by a shortcircuit, the embodiment can assure of a fail-safe performance. 

Fig. 11 depicts a block diagram illustrating an embodiment of the present invention that has an excess 
20 pulse detection feature in addition to the pulse extraction detection feature of the integrator circuit in Fig. 8. 
The excess pulse is def ined here as a phenomenon that some of the signals cO to cn (40 to 4n) are on simul- 
taneously. In operation, if any one of the signals cO to cn (40 to 4n) is turned on as in Fig. 9, both OR 50 and 
EOR 51 generate the signature output signal 6 as in the figure. If c2 and cn are turned on at the same time 
as in Fig. 12, the signature output line 61 has a pulse extracted as shown in the figure. As the pulse-extracted 
25 signal is different from the normal one, it helps us to know of generation of failure. 

Fig. 13 depicts a circuit diagram illustrating an embodiment of the integrator circuit 5 further having order 
of coming pulses taken into account In operation, if the signature pulses as comparison results come in normal 
order of cO, c1, c2, .... and cn, the signature output signal 6 is level-reverted whenever the signature pulse 

comes in, as shown in Fig. 14. If any of the signature pulses of cO, d, c2 and cn is extracted, however, 

30 the signature output signal 6 cannot be reverted or its period is made very longer. As the period of the signature 
output signal 6 in this embodiment is made very longer at failure, it is easy to detect the failure. 

Fig. 1 5 depicts a detailed circuit diagram illustrating an embodiment of the present invention. In operation, 
the signals aO to an (10 to 1n) fed from the function block A 110 are latched in a latch 120 by a strobe signal 
1 30. The latched signals are exciusive-ORed with the orthogonal waveforms of the orthogonal waveform gen- 
35 erator circuit 100 in the permuters 80 to 8n to become a0' to an* (10* to 1n')- Similarly, the signals bO to bn (20 
to 2n) fed from the function block B 111 are latched in a latch 121 by a strobe signal 131. The latched signals 
are exciusive-ORed with the orthogonal waveforms of the orthogonal waveform generator circuit 101 in the 
permuters 90 to 9n to become b0* to bn' (20' to 2n'). The signals a0* to an' (10' to 1n') and b0' to bn f (20' to 
2n') formed above are compared by the comparison circuits 40 to 4n. The comparison circuits 40 to 4n feed 
40 out comparison results cO to cn (40 to 4n). The comparison results becomes signature outputs 6 through the 
integrator circuit 5. 

The circuit of the embodiment is divided into three areas: an area 0 (200), including the comparison circuits 
40 to 4n and the integrator circuit 5, an area 1 (201), including the function block A 110, the latch 120, the or- 
thogonal waveform generator circuit 1 00, and the permuters 80 to 8n, and an area 2 (202), including the f unc- 

45 tion block B 111, the latch 121, the orthogonal waveform generator circuit 101. and the permuters 90 to 9n. 
The areas 0 (200), 1 (201). and 2 (202) can be formed in individual chips. The areas also can be formed in a 
single chip. In this case, areas 0 (200). 1 (201). and 2 (202) should be arranged to have distances from one 
another and/or have individual power grounds to prevent a failure from spreading. The circuit construction of 
the embodiment described above has the advantage that no influence can be caused by generation of the 

so counterfeit signature due to shortcircuit as the correlated signals ai and bi and the ones pi and ci can be isolated 
from one another geometrically, physically, and electrically. 

In general, it is efficient for designing a high-performance LSI to use a heuristic method of human exper- 
iences and intuition for rough layout or floor plan before automatically wiring its details on the basis of a specific 
algorithm. Accordingly, many existing automatic wiring tools provide features for entering the rough layout or 

55 floor plan by person and the ones for automatic wiring the details. The method of the embodiment matches 
with, or suites to, of the features of the existing automatic wiring tools well. This means that the method can 
make use of the features of the automatic wiring tools to the best 

The embodiment described above can be easily achieved to check itself in the way that the function blocks 
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formed in an ordinary logic design should be copied logically or optically before being combined with the area 
0 (200) of the comparison circuits 40 to 4n and the integrator circuit 5. This can not only increase the reliability, 
but also reduce number of the development steps and development cost to great extents. 

Fig. 16 depicts a block diagram illustrating a self-checking computer made up of the present invention. 

5 The function blocks A 110 and B 111 are connected with respective MPUs (microprocessing units), WDTs 
(watch dog timers), INTCs (interrupt controllers), and other computer elements through respective interface 
buses 212 and 21 3. The function blocks also are connected to respective external buses 206 and 207 through 
respective interfaces 204 and 205. In operation, the comparator of the present invention compares the signals 
on the internal buses 212 and 213 with the signals having signatures superimposed thereon by the permuters 

10 80 to 8n and 90 to 9n according to the pattern generated by the orthogonal waveform generator circuits 100 
and 101 to judge whether or not the function blocks A 110 and B 111 is normal. If the signals on the internal 
buses 212 and 21 3 coincide, the comparator (area 0 (200)) feeds the signature signal out to the signature out- 
put signal 6. Further, a single-chip self-checking microcomputer can be achieved in the way that as shown in 
Fig. 16, the function block A 110 (area 1 (202)), the function block B 111 (area 2 (202)), and the comparator 

15 (area 0 (200)) should be isolated from one another according to the layout shown in Fig. 15, and the their power 
grounds should be separated on the single chip. Note that the latches 120 and 121 are omitted in the figure 
for simplicity. 

The comparator (area 0 (200)) can check the signals on the external buses 206 and 207 in addition to the 
ones on the internal buses 212 and 213. This allows monitoring all the operations of the whole LSI, including 
20 that of the interfaces 204 and 205. 

The embodiment described above can be easily achieved to check itself in the way that the function blocks 
formed of the MPUs (micro-processing units), the WDTs (watch dog timers), the INTCs (interrupt controllers), 
and other microcomputer elements in an ordinary design should be copied logically or optically at a mask pat- 
tern level to duplex before being combined with the area 0 (200) of the comparison circuits 40 to 4n and the 
25 integrator circuit 5. This can not only increase the reliability, but also reduce the number of development steps 
and development cost to great extents. 

Fig. 1 7 depicts a block diagram illustrating a fault toierant computer made up of the self-checking computer. 
In operation, one of signals fed out of self-checking computers 203 and 203* to respective external buses 206 
(207) and 206' (207*) is selected by an output selector circuit 210 to lead to a final output line 211. The output 
30 selector circuit 210 is controlled by a switching control signal 209 generated by a switching control circuit 208 
on the basis of the signature outputs 6 and 6'. That is, the output selector circuit 21 0 selects the signal output 
of the self-checking computer regarded normal on the basis of the signature outputs 6 and 6' fed from the self- 
checking computers 203 and 203*. 

Fig. 18 depicts a block diagram illustrating the switching control circuit 208. In operation, the signature 
35 monitoring circuits 212 and 213 monitor the signature outputs 6 and 6', If the signature outputs 6 and 6' are 
normal, the signature monitoring circuits feed out 'normal' signals to monitored result lines 214 and 215, re- 
spectively. If any of the signature outputs 6 and 6' is abnormal, the signature monitoring circuit feeds out an 'ab- 
normal' signal to the monitored result line 214 or 215. Ajudge logic 216 feeds out a signal meaning "select ex- 
ternal bus 206' (20r)" to the switching control signal 209 only when the signature output 6 is abnormal and 
40 the signature output 6' is normal. In the other cases, the judge logic 216 feeds out a signal meaning "select 
external bus 206 (207)." For simplicity on drawings, level H of binary logic denotes the signal of 'normal' of 
the monitored result line 214 or 21 5; level L is the signal of 'abnormal'; level H also is the signal meaning "select 
external bus 206' (207')" fed to the switching control signal 209; and level L also is the signal meaning "select 
external bus 206 (207)." These signals of the present invention are not limited to the binary logic, but can be 
45 made in any of redundant logics, such as two-wire logic (1-out-of-2 code), frequency logic, and the signature 
provided inherent to every net by the present invention. This can make highly reliable the switching control 
circuit 208 and the whole system as well. 

The following further describes the embodiment of the signature monitoring circuits 212 and 213. If the 
signature output signal 6 is a periodic waveform as shown in Fig. 9, the signature monitoring circuits 212 and 
so 213 can be accomplished in the way that a counter should be arranged to monitor that the pulse arrives at 
certain intervals. If the signature output signal 6 is a further complicated waveform, the signature monitoring 
circuits 212 and 213 can be accomplished in the way that the signature output signal 6 should be correlated 
with a reference (template) waveform, and if the correlation is 1.0, the signature should be judged normal or 
if the correlation is less than 1 .0, the signature should be judged abnormal. 
55 With the embodiment described above, we can structure the fault tolerant system of hot standby type hav- 

ing the self-checking computer 203 as a main system and the self-checking computer 203' as a substitute sys- 
tem (standby system). In addition, the detection method of little detection missing provided by the present in- 
vention can accomplish the system of higher reliability than the conventional ones. 
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The self-checking computers provided by the present invention can be used in fault tolerant systems of 
various configuration as well as the system configuration described above. For example, the self-checking 
computers can be used in the system that the inventors already disclosed in the Japanese Patent Application 
No. 03-1 5946 (corresponding US-A-5084878). This can be accomplished in a way that the subsystems 1 -1 to 

5 1-N shown in Fig. 5 in the Japanese Patent Application should be replaced by the self-checking computer 203 
provided by the present invention, the outputs 3-1 to 3-N in the application should be replaced by the external 
bus 208 (207) of the present invention, and the cross diagnosed results 4-1 to 4-N in the application should 
be replaced by the signature output 6 of the present invention. 

Fig. 1 9 depicts a circuit diagram illustrating a self-checking comparator according to the present invention. 

10 The comparator 217 is divided into three areas: area 0 (200), area 1 (201), and area 2 (202). Area 0 200 includes 
the comparison circuits 40 to 4n and the integrator circuit 5. Area 1 (201 ) includes the latch 120, the orthogonal 
waveform generator circuit 100, and the permuters 80 to 8n. Area 2 (202) includes the latch 121, the orthogonal 
waveform generator circuit 101, and the permuters 90 to 9n. Areas 0 (200), 1 (201), and 2 (202) should be 
arranged to have distances from one another and/or have individual power grounds to prevent a failure from 

15 spreading. The circuits of the comparator mentioned above are arranged in a single chip. The comparator 217 
is connected with the external function blocks A 11 0 and B 1 11 to compare their outputs. The circuit construction 
of the embodiment described above, like the embodiment described in Fig. 15, has the advantage that no in- 
fluence can be caused by generation of the counterfeit signature due to shortcircuit as the correlated signals 
ai and bi and the ones pi and ci can be isolated from one another geometrically, physically, and electrically. 

20 The embodiment has the advantage that the fail-safe performance can be assured even if a counterfeit 

signature is generated by shortcircuit This means that to accomplish a fail-safe logic circuit, the present in- 
vention needs no special limits, but can take advantage of using the existing semiconductor technology and 
automatic designing tools. It can be expected to reduce both development cost and time to great extents. 

25 2. Redundancy resource management 

In turn, the following paragraphs describe the managing method of redundant resource and the fault tol- 
erant system with use of it that are embodiments of the present invention, by referring to Figs. 20 to 43. 

30 A. PRINCIPLES OF OPERATION 

Fig. 23 depicts a conceptual outline illustrating an embodiment of the present invention. As an example, 
it is assumed in the figure that computer modules 1101 to 110(i - 1) executes task 1 for redundancy, computer 
modules 110i to 11 Om executes task 2 for redundancy, the system cannot run normally because of fault of the 
35 computer module 110(i - 1). If the system cannot run normally because of fault of the computer module 110(i 
- 1), the computer module 11 Oi halts the execution of task 2 and starts execution of task 1. This can relax ex- 
tensive reduction of number of the computer modules executing task 1 due to the fault of the computer module 
110(i - 1), thereby preventing high fall of reliability of task 1 . 

Fig. 24 depicts a conceptual outline illustrating an embodiment of the present invention in which evaluation 
40 functions F1 and F2 are introduced to judge for task switching the computer module 110i in Fig. 23. It is as- 
sumed that the evaluation functions F1 and F2 are the ones that reflect the reliabilities of tasks 1 and 2, re- 
spectively. A method of determining the evaluation functions will be described later. On the left in the figure, 
the evaluation function F1 (reliability) is made lower than F2 as fault occurs in the computer module 110(1- 1) 
executing task 1 . Then, as shown on the left in the figure, the computer module 11 Oi of the computer modules 
45 executing task 2 is added to execute task 1 so that the evaluation functions F1 and F2 become virtually equal. 
If the evaluation functions are made to greatly differ with occurrence of fault determination which computer 
module should change executing task is made in the way that responsibilities of each computer module are 
set for the tasks in advance. In the embodiment, among the computer modules 110i to 110m executing task 
2, the computer module 110i has the highest responsibility for task 1. 
so If the hardware for performing the redundant resource managing features, including the task changing fea- 

ture and the judgement feature, is not made redundant but single, it may happen that fault of the hardware 
prevents the whole system and the redundant resource managing features as well from normally running. To 
avoid this, it is needed to make redundant the hardware itself for performing the redundant resource managing 
features. There are three methods for making it redundant 
55 (1) A method of adding and making redundant an exclusive hardware to carry on the redundant resource 

managing features, and 

(2) Amethod of using a plurality of ones of the computer modules 1 1 01 to 110(i - 1 ) to carry on the redundant 
resource managing features and to judge which computer module should change executing task, and 
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(3) A method of having the redundant resource managing features to make the computer modules 1101 
to 110(i - 1) judge and execute the task by themselves. 

The method (1) can be accomplished by having a plurality of the hardware and/or software to achieving 
the redundant resource managing features shown in Figs. 23 and 24. The method (2) can be accomplished in 
5 a way that the tasks for making the redundant resource managing features shown in Figs. 23 and 24 should 
be allotted to a plurality of compute modules and ii ke the other tasks, subjected to the redundant resource man- 
aging features. In turn, an embodiment of the method (3) is described below. 

Fig. 25 depicts a conceptual outline illustrating the embodiment of the method (3) in which each of the 
computer module can independently judge by itself whether or not it should be added to execute the task of 
10 low evaluation function if the evaluation functions are made to differ greatly with occurrence of fault The com- 
puter modules 1101 to 110m calculate their respective evaluation functions Fij, where i is a processor number 
and j is a task number. Each of the evaluation functions Fij should be defined so that it is made low as the 
computer module has high responsibility for task j. In other words, the evaluation function Fij can be regarded 
as a margin for the responsibility to be taken on by the computer module for the task. In Fig. 25, for example, 
15 the computer modules 1101 to 110m bear high responsibility fortask 1 and is low for task 2 in that order. There- 
fore, even if all the computer modules are normal as shown on the left in Fig. 25, the evaluatbn functions are 
F11 < F21 < 1101 to 110(i - 1), it holds that Fij < Fi2. For the computer modules 110i to 110m, it holds that Fi1 
< Fi2 holds. The computer modules therefore executes their tasks 1 and 2, respectively. 

If fault occurs in the computer modules 1 10(i - 1 ) as shown on the center in Fig. 25, all the computer modules 
20 are lowered in Fi1, the computer module 11 Oi is reverted in the relationship of value between Fil and Fi2, that 
is, FI1 < FI2. Therefore, the computer module 110i f as shown on the center in Fig. 25, halts execution of task 
2 by its own independent judgement before starting task 1 . As described above, the embodiment makes each 
of the computer modules independently change the task by its own judgement. The embodiment therefore has 
no so-called manager in which the redundant resource managing features are concentrated for the whole sys- 
25 tern. This means that the embodiment has no single fault point as bottleneck in increasing the reliability, thus 
being capable of increasing the dependability of the redundant resource managing features themselves. 

The embodiments described above by referring to Figs. 23 to 25 have only two tasks, tasks 1 and 2, used 
in the system to execute as an example for simplicity. Of course, the embodiments can manage the redundant 
resource also for any number of tasks as desired. 
30 As for selections of results of calculation by redundant computer modules for tasks, they can be made by 

decision of majority or the method that the inventors already disclosed in the Japanese Patent Application No. 
1-288928. 



35 



B. SYSTEM CONFIGURATION 



Fig. 20 depicts a block diagram illustrating a system configuration to accomplish the present invention: 
The system of the present invention is formed of m numbers of computer modules 1101 to 110m having the 
same functions. Tasks 1111 to 111n have a plurality of computer modules assigned thereto to execute redun- 
dantly for highly reliable operation. In the example shown in Fig.20,i1 numbers of the computer modules 1101 

40 to 110i1 are assigned to task 1 (1111), (i2 - i1) numbers of the computer modules 110(i1 + 1) to 110i2 are to 
task 2 (1112), and (i rH . 1 - m) numbers of the computer modules 110 ft*., + 1) to 110m are to task n(111n). 

Each of the computer modules 1101 to 110m can feed out signals to output selector circuits 151 to 15X. 
Note that the signals 31 -1 to 31 -X to 3m-1 to 3m-X are fed out to the output selector circuits 1 51 to 1 5X for the 
computer modules 1 1 0-1 to 1 1 0-m, respectively. Also, the computer modules 1 1 0-1 to 1 1 0-m feed out selection 

45 control signals 41-1 to 41-X to 4m- 1 to 4m-X to the output selector circuits 151 to 1 5X together with the output 
signals 31-1 to31-Xto3m-1 to3m-X. The selection control signals41-1 to41-Xto4m-1 to4m-X indicate wheth- 
er or not the output signals 31-1 to 31 -X to 3m- 1 to 3m-X should be selected by the output selector circuits 1 51 
to 15X. If the computer module 1101 is normal and feeds out the signal 31-3 to the output selector circuit 151 
to have that signal fed out thereto, for example, the selection control signal 41-1 is turned on. 

so The figure has only the output signals 31-1 to 31 -X and the selection control signals 41-1 to 41-X indicated 

therein, but omits the output signals 32-1 to 32-X to 3m-1 to 3m-X and the selection control signals 42-1 to 42- 
X to 4m- 1 to 4m-X. 

The output selector circuits 1 51 to 1 5X decide the signals to be fed out on the basis of the selection control 
signals 41-1 to 41-X to 4m-1 to 4m-X. The signals becomes outputs 161 to 16X. Note that the outputs 161 to 
55 1 6 are connected to output units 1 71 to 17X. Also, note that in many control units, the output units 171 to 17X 
use electrical and hydraulic actuators to control subjects. 

For the output selector circuits 151 to 15X is available the MV (modified voter) that the inventors already 
disclosed in Fig. 2 in the Japanese Patent Application No. 1-288928. 
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Fig. 21 depicts a conceptually functional outline illustrating a configuration of the computer module 110i 
to embody the present invention. The computer module 11 Oi has a task executing device 12i, a fault data ex- 
changing feature 13i, a judging feature 14i for deciding a task to be executed, and a task changing feature 1 5i. 
These are to select and execute the task to be executed f rom among task 1 (111 1 ) to task n (111 n) on the basis 
5 of a judgement result by the judging feature 14L In the embodiment shown in the Fig. 21 , the computer module 
1101 executes task 1 (1111). 

The fault data exchanging feature 13i broadcasts a fault occurrence situation in its own computer module 
and the process results of the executed task to other computer modules via a communication path 11. At the 
same time, the feature collects the fault occurrence situations broadcast by the other computer modules and 
10 the process results of the executed task. 

Previously proposed methods of communicating with the other computer modules via the communication 
path 1 1 include the method of message passing, the method of shared memory, and the method of memory 
bank switching. Previously proposed forms of the communication path 11 include the bus type, the net type, 
and ring type. 

15 Fig. 22 depicts a block diagram illustrating a configuration of the computer module 11 Oi to embody the 

present invention. A bus 20i in the figure is connected with an MPU (micro-processing unit) 21 i, a communi- 
cation interface 22i, an output interface 23i, a selection control signal interface 24i, and a memory unit 25i. 
The communication interface 22i is connected with the other computer modules via the communication path 
11 for communication with any of them. The fault data exchanging feature 13i in the figure is accomplished 

20 through the selection control signal interface 24i. 

An output interface 23i is a circuit for feeding out signals 3M to 3I-X to the output selector circuits 151 to 
1 5X. The signals can be transferred either in parallel or serial way depending on use. If the output interfaces 
23i are arranged to feed out their respective independent signals 31-1 to 3i-A,, they can be used for anapplication 
in which a plurality of output units are used simultaneously. 

25 The selection control signal interface 24i is a circuit for feeding out selection control signals 41-1 to 4i-X to 

the output selector circuits 151 to 15X. The MPU 21 i can be used to write at a register of the selection control 
signal interface 24i to turn on, or select, any desired one of the selection control signals 4M to 4i-X. Conditions 
for turning on, or selecting, the selection control signal 4i-X\ where V is an integer of 1 to Jt, include 

a. The computer module 110i executes a task of feeding out the signal 3i-V to the output selector circuit 
30 151'; and 

b. The computer module 11 Oi regards that the executing task is normal. 

For a method of judging normal or abnormal in condition b is available the one that the inventors already 
disclosed in the Japanese Patent Application No. 1-288928. 

If the computer module 1101 executes task 1 that is normal and feeds out the signal to the output selector 
35 circuit 1 51 , and if fault occurs in the other computer module 1 1 0-i that executes task 2 that feeds out the signal 
to the output selector circuit 1 52, and if the computer module 11 Oi bears the highest responsibility for task 2, 
then the computer module 11 Oi halts execution of task 1 before starting task 2. In that event, the selection con- 
trol signal 41-1 from the computer module 1101 to the output selector circuit 151 that is on during execution 
of task 1 is turned off at the end of execution of task 1 . At the start of execution of task 2, the selection control 
40 signal 42-1 the output selector circuit 152 is turned on. Further, the selection control signal 4i-2 from the com- 
puter module 11 0-i to the output selector circuit 152 that is on is turned off at the instance when fault occurs. 
As a result after the fault occurrence, the output selector circuit 152 can select the output signal 32-1 from 
the computer module 1101 as an output signal 1 62 to feed to an actuator 1 72, while before the fault occurrence, 
the output selector circuit 1 52 selects the output signal 32-i from the computer module 11 0-i executing task 2 
45 normally as the output signal 1 62 to feed to the actuator 1 72, 

As described above, the embodiment of the present invention can use the plurality of computer modules 
to execute the plurality of tasks in parallel and redundant way. 

In the description, it was assumed that the single task feeds out signal to the plurality of actuators. Also, 
it can be assumed that the single task feeds out signal to the plurality of actuators or no tasks will feed out 
so signal to the actuators at all. 

C. CALCULATION AND DECISION ALGORITHM OF EVALUATION FUNCTIONS 

Fig. 26 depicts a flow chart illustrating decision features 14-1 to 14-m that decide a task to be executed 
55 by the present invention. 

An evaluation function calculation step 300 in the figure calculates an evaluation function Fij, where j is 
a task number, for the given task. 

As mentioned previously, the evaluation function Fij represents a margin of reliability of the task. There- 
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fore, it should be determined so that Fij can be low as importance of the task is high, Fij can be low as respon- 
sibility of the computer module for the task is high, and Fij can be high as the reliability of the task is high. That 
is, 

aFij/ai<0, 

5 aFij/aResp < 0, 

and 

dFij/aRel > 0, 

where I is the importance, Resp is the responsibility, and Rel is the reliability. 
An example of the evaluation function Fij meeting the conditions mentioned above is 
to Fij = Lrj - Lthij (6) 

where Lthij is a threshold value of the reliability level of task j in the computer module i, Lrj is the reliability 
level of task j, i is an own computer module number, and j is the task number. 

It should be noted that Lthij that is the threshold value of the reliability level of task j is different depending 
on the importance of the task. It is set to high value as the task is needed to have high importance or high 
is reliability. Further, if all the computer modules have the same value of Lthij set thereto, they all execute the 
same task at occurrence of fault. This results in unstable system operation. Therefore, Lthij has to be different 
depending on the computer module. It has to be high as the responsibility of the computer module is high for 
the task. That is, 

aLthij/ai>o, 

20 and 

aLthlj/aResp > 0. 

The following describes how to decide the reliability level Lrj of task j. The evaluation function that is the 
reliability level Lrj should be calculated in terms of fault data that are fault detection results, including number 
of the computer modules executing task j, equality and inequality of the process results, and number of the 
25 processors having equal process results. 

First, take note of a probability that wrong results are used as outputs of the system. Then, the reliability 
level Lrj can be calculated in terms of degree of accepted checks. Where N1 numbers of computer modules 
are executing task j, if N2 numbers of computer modules are judged normal as checked and if calculation re- 
sults of N3 numbers of computer modules coincide, then the probability Pej of wrong calculation results of task 
30 j is 

Pej Pe N1 xPed N2 xPeaN3-i (7) 
where Pe is the probability of error occurrence, Ped is a probability of checking failure of error, and 
Pea is a probability of accidental coincidence of wrong calculation results. Note that as Pe, Ped, and Pea 
are known constants that can be obtained in terms of the system operation environment and error detection 
35 method, and Pej is a function of N1, N2, and N3 - 1. 

The reliability level of task j that is a probability of correct calculation results is given by 

Lrj = 1 - Pej (8) 

Let Lrj be evaluated by magnitude of Pej in Eq. 8 for simplicity. Logarithm is taken for Eq. 7 is 
log(Pej) = N1 xlog(Pe) + N2xlog(Ped) + N(3 - 1)xlog(Pea) (9) 
40 As the values of Pe, Ped, and Pea can be calculated by means of field data or simulation, let logarithms 

of the values be represented by K1, K2, and K3. Eq. 9 can be simplified as 

log(Pe) = N1 xK1 + N2xK2 + (N3 - 1)xK3 (10) 
Also, take note of the probability Pe of wrong calculation results in place of the evaluation function in Eq. 
6. Let the evaluation function Fij be defined as 
45 Fij = log{(1 - Lthij)/Pe) (11) 

Then. 

Fij = K4 - N1xK1 + N2xK2 + (N3 - 1)xK3 (12) 
where K4 = log(1 - Lthij). Thus, the evaluation function Fij can be calculated only by addition, subtraction, 
and multiplication simply, or at a high speed. 
50 Similarly, the reliability level Lrj of task j can be calculated by taking note of the probability of error occur- 

rence in the computer modules executing task j. 

Assuming that N1 numbers of computer modules executing task j, the probability of wrong calculation re- 
sults of task j with error occurring in all the computer modules is 

Pe = Pe N1 (13) 

55 We can obtain logarithm of Eq. 13 before processing it, like Eq. 7, as 

Fij = K4 - N1 x K1 (14) 
Thus, the evaluation function Fij can be simplified as above. 

A condition judgement step 301 in the figure compares the evaluation functions Fij of tasks with the eval- 
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uation function Fik of task k executed currently, where j is 1 to n and n is number of tasks. As a result, if there 
is task j meeting Fij < Fik, task k executed currently is ended and task j is started. 

Fig. 27 depicts a timing chart illustrating instants of the end of task k and the start of task j. As for a computer 
for feedback control, as in Fig. 27, it reads input data periodically every control frame before executing the 

5 task to feed out results. Let the computer module i execute task k, and assume that Fij < Fik is made by fault 
occurrence in the computer module executing task j in a control frame 1 . The computer module i ends task k 
instantly before starting preparation for executing task j. If the data (history data) until the preceding control 
frame are not needed to start task j, the computer module i can start task j from control frame 2. If the history 
data are needed to start task j, on the other hand, as in Fig. 27, the computer module i uses a control frame 

10 2 to collect the history data before starting task j from a control frame 3. Note that the history data can be 
collected by requesting through the communication path 11 the computer module already executing task j. 

D. SETTING DEAD-ZONE TO PREVENT HUNTING 

is Fig. 28 depicts a timing chart illustrating an embodiment of dead-zone 5 provided for judgement in the 

condition judgement step 301. In the figure, if there is task j meeting Fij < Fik - 8, task k executed currently is 
ended before task j is started. The embodiment in the figure further improves the operation of the one in Fig. 
26. 

In the embodiment in Fig. 26, as shown in Fig. 29, the operation is that 
20 (1 ) Fault occurrence makes Fij < Fik. If the computer module executing task k starts execution of task j at 

instant t1 , the evaluation function Fij becomes high, while the evaluation function Fik becomes low. 
(2) If Fij and Fik are reverted in magnitude to make Fij > Fik, the computer module having started execution 
of task j starts task k at instant t2 again. 

As a result of repetition of operations (1 ) and (2) above, it is probable that an operational efficiency of the 
25 system is lowered by collection of history data and other operations. 

To overcome such a problem, as shown in Fig. 28, there is provided the dead-zone that is greater than 
changes of Fij and Fik at the instant of task switching for the judgement in the condition judgement step 301 . 
The dead-zone 6 is to provide a hysteresis characteristic that allows the system to run stably as shown in Fig. 
30 without occurrence of the hunting at the instant of execution task switching. 
30 As Pe, Ped, and Pea are known, we can see in advance changes of Fij, including aFij/dN1, 5Fij/dN2, and 

dFij/£N3, with changes of N1 , N2, and N3. Accordingly, we should set wider dead-zone 8 than 

max (aFij/0N1, £Fij/dN2, dFij/3N3). 
With the embodiments described above in Figs. 20 to 30, as shown in Fig. 31, we can see that the system 
can balance among the redundancies of the tasks according to the reliability levels required for the tasks in 
35 the way that the computer modules are successively assigned to tasks 1 to n. The balance can be kept even 
if fault occurrence causes the computer modules forming the redundant system to be continually lost with time. 
Also, the embodiments assign more redundant computer modules as the task having high importance is need- 
ed to have high reliability so that a coverage of fault detections can be increased. 

40 E. TIME AVERAGING TO INCREASE STABILITY 

The system stability can be further increased by addition of an embodiment shown in Fig. 32 to the ones 
in Figs. 20 to 31. 

Fig. 32 depicts a block diagram illustrating an embodiment of averaging Uj or Pe with time while the eval- 

45 uation function Fij is calculated. 

The embodiments in Figs. 20 to 31 can make the computer module start execution of task j to hold Fij < 
Fik in the computer module i having the highest Lthij, or bearing the highest responsibility for task j, among 
the computer modules executing task k, if fault occurs in the computer modules executing task j. This can keep 
the reliability level of task j as indicated by solid line a in Fig. 33. If even the computer module i is at failure in 

so that operation, there is no computer modules to start execution of task j newly. This results in that the reliability 
level of task j is left low as indicated by dotted line b in Fig. 33. In other words, the fault of the computer module 
i affects results of the redundant resource management, thereby lowering the stability of the system. 

To overcome such a problem, as shown in Fig. 32, Lrj or Pej should be averaged in a period of time while 
the evaluation function Fij is calculated. This can gradually lower Fij with time as indicated by solid line in Fig. 

55 34. If there exists the computer module i bearing the highest responsibility for task j, as indicated by dotted 
line a in Fig. 34, the computer module i can start execution of task j at instant tl, thereby restoring the value 
of Fij. If there exists no computer module i but exists a computer module i' bearing the secondly highest re- 
sponsibility for task j, as indicated by dotted line b in Fig. 34, the computer module i' can start execution of 

16 



RNSnreiD: <EP 



06S3708A2_I_> 



EP 0 653 708 A2 



task j at instant t2, thereby restoring the value of Fij. If there exists no computer module i nor computer module 
i' but exists a computer module i" bearing the thirdly highest responsibility for task j, as indicated by dotted 
line c in Fig. 34, the computer module i" can start execution of task j at instant t3, thereby restoring the value 
of Fij. 

5 Methods of averaging Lrj or Pe with time include: 

(1) A method of motion averaging, and 

(2) A method of use of ICth delay of which transfer function G(s) =1/(1 + Ts) A K. 

The embodiment has such a advantageous capability as increasing the fault tolerance of the tolerant re- 
source method itself. The advantage is accomplished in the way that fault of the specific computer modules 
10 bearing high responsibilities for the task can be made to reduce effect to the results of the redundant resource 
management. 

F. REDUCING AMOUNTS OF COMMUNICATIONS AND CALCULATIONS 

15 Fig. 35 depicts a timing diagram illustrating an embodiment of the present invention for relaxing increases 

of amount of communications among the computer modules 1 1 01 to 1 1 0m and of calculations of the evaluation 
functions. In the embodiments described in Figs. 20 to 34, it is needed to perform Ncom {= m(m - 1)} times of 
communications so that the own computer module has to notice, or broadcast, its fault detection situation to 
all the other computer modules. This increases the amount of communications to a great extent To solve such 

20 a problem, as shown in Fig. 35, the evaluation function fault detection situation is ordinarily noticed only to 
the computer module executing the same task. Only if the evaluation function Fij changes, that is noticed to 
all the other computer modules. As an example, let us examine an operation that the computer modules 1 to 
3 execute task 1 , while the computer module i executes task 2. A control frame 1 do not find any abnormality 
in the computer modules 1 to 3. Communication is made only among the computer modules 1 to 3. In turn, let 

25 us inspect a case that a control frame 2 finds a fault in the computer module 3. The first communication is 
made among the computer modules 1 to 3. The evaluation function Fij calculated on the basis of the fault de- 
tection information exchanged through the communication is lower than the preceding one (control frame 1) 
because of the fault i the computer module 3, which is silent The control frame 2 therefore succeeds to the 
second communication to notice to the computer module i that the evaluation function Fij is lowered. The com- 

30 puter module i judges whether or not the own computer module should participate in execution of task 1 . If so, 
it halts execution of task 2 before starting execution of task 1. 

Number of times of communication among the computer modules by the example is given by 



Ncom '=^2 Nlj-(Nlj-l) (time) eg. 15 
where Nij is number of the computer modules executing task j. In Eq. 15, 

40 

n 

52 Nlj^m/n egr. 16 

45 

The number of times of communication by the example becomes Ncom' Ncom/n, which is near 1/n. 
Fig. 36 depicts a flow chart illustrating a judgement whether or not broadcasting should be made to all the 
computer modules for the embodiment in Fig. 35. First, at step 302, the computer modules executing the same 
task exchange the fault detection information among one another. At step 300\ on the basis of the information 

so exchange, the evaluation functions Fij are calculated. Note that the calculations of the evaluation functions 
Fij at step 300* are for the computer modules executing the same task. This is different from the ones for all 
the computer modules at step 300 in Figs. 26, 28, and 37. Step 300' for calculations of the evaluation functions 
Fij should calculate Fij only by the number of times (O (m/n)) of the computer modules executing the same 
tasks, while step 300 for calculations of the evaluation functions Fij is needed to calculate Fij by m times. This 

55 means that the amount of calculations can be reduced nearly to 1/n. After the calculations of the evaluation 
functions Fij at step 300', step 303 compares the present values of Fij with the preceding ones of Fijold. If they 
are not equal, step 304 broadcasts the fault information to all the computer modules. Finally, step 305 stores 
the present values of the evaluation functions Fij to variables Fijold to prepare for the next time. 
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On the other hand, the computer modules having received the broadcast, as shown in Fig. 37, judge at 
step 306 whether or not the broadcast is to all the areas. Only if it is to all the areas, the step goes to the judge- 
ment in Fig. 26 or 28. 

5 G. APPLICATION TO AN ADAPTIVE-CONTROL SYSTEM 

Fig. 38 depicts a block diagram illustrating an embodiment of the present invention for application to an 
adaptive-control system. In the embodiment, a sensor 9 measures physical quantity of a controlled system 8. 
A status viewer 16 observes, or estimate, status of the controlled system 8. On the basis of the observed sta- 
10 t us, then, it feeds back to the controlled system 8 via a regulator 1 7 having adequate controlling characteristics 
and an actuator 7. The embodiment described above is a typical configuration of the controlling system of state 
feedback type based on the modem control theory. 

Further, a controlled system characteristic identifier 18 signifies characteristics of the controlled systems 
8, including the sensor 9 and the actuator 7, in terms of signals input to the sensor 9 and the actuator 7. An 
15 optimum regulator designer 19 calculates parameters for the regulator 17 optimum to control in terms of iden- 
tification results of characteristics of the controlled system 8. The designer 19 then sets the parameters for 
the regulator 17 to optimum values. The adaptive-control system described above can increase the control 
characteristics. In particular/the system is known optimum for controlling such a controlled system as its char- 
acteristics changes apparently with attitude and speed in a linearly approximated controlling system by non- 
20 linear aerodynamic characteristics of airplanes and space shuttle. Further, even if fault occurs in the controlled 
system 8, the sensor 9, or actuator 7, the control system recognizes it as a characteristic change of the con- 
trolled system. Whenever it happens, the control system can set an optimum parameter to the regulator 17 so 
that the characteristic deterioration due to the fault of the controlled system can be compensated. In general, 
control systems having high reliability demanded have the actuators duplexed. In the airplane, for example, 
25 control surface, including an elevator and a rudder, and a thrust generator are made redundant so that the 
airplane can fly without trouble even if parts of them break down. However, if the parts of the actuators made 
redundant break down, gains of the actuators decrease equivalently . This means control characteristics of the 
whole system are deteriorated. In some cases, controlled values interfere each other. This makes very difficult 
controlling through manual operations. To solve this problem, the adaptive-control system of the embodiment 
30 has the characteristic identifier 18 to detect the gain decrease of the actuator 7. The optimum regulator de- 
signer 19 decides optimum parameters for the regulator 17. This can compensate the deterioration of the con- 
trol characteristic performance. 

The application of the present invention to the adaptive-control system in the embodiment is accomplished 
in the following way. The status viewer 16 and the regulator 1 7 are formed of task 1 or task group 1. The con- 
35 trolled system characteristic identifier 1 8 and the optimum regulator designer 1 9 are formed of task 2 or task 
group 2. Setting is made as 

Lth11 > Lth21 > Lth31 > Lth41 > Lth51, and 
Lth12 < Lth22 < Lth32 < Lth42 < Lth52, and 
Lth11 > Lth52 and Lth21 > Lth42, and 
40 Lth31 >Lth32and Lth41 > Lth22 and Lth51 > Lth11. 

If there exists no computer module for executing task 2 or task group 2, a table of numbers is prepared in 
advance to set the parameters for the regulator 17. Fig. 39 depicts a table illustrating how the embodiment 
can manage the redundant resource. First, five computer modules are normal, three computer modules are 
assigned to task 1 or task group 1 and two computer modules are to task 2 or task group 2. If one computer 
45 module breaks down leaving four normal computer modules, two computer modules are assigned to task 1 or 
task group 1 and two computer modules are to task 2 or task group 2. If two computer modules break down 
leaving three normal computer modules, two computer modules are assigned to task 1 or task group 1 and 
one computer module is to task 2 or task group 2. If three computer modules break down leaving two normal 
computer modules, two computer modules are assigned to task 1 or task group 1 and no computer modules 
60 are assigned to task 2 or task group 2. Alternatively, the table of numbers prepared in advance is used to set 
the parameters for the regulator 17 to continue control. 

As described above, the embodiment can configurate the control system that can not only allow fault of 
the computer modules, but also the one of the controlled system. This advantage can increase the reliability 
of the whole control system. 

55 Figs. 40, 41 , and 42 depict a cross-sectioned view, a longitudinally sectioned view, and a circuit diagram 

illustrating a servo-motor system having features of output selection and decision of majority as an embodi- 
ment of the present invention, respectively. The servo-motor system provides both capabilities of the output 
selector circuits 1 51 to 1 51 and the output units 1 71 to 1 7X in Fig. 20. The servo-motor in the embodiment, as 
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shown in Fig. 40, has a plurality of armature windings 7041 to 7041 provided on a single shaft 701 in a housing 
702. The servomotor also has a plurality of field windings7031 to 7031 corresponding tothe armature windings 
faced with the armature windings. A cross-sectional view taken across A-A* in Fig. 40 is shown in Fig. 41. An 
output torque of the servo-motor is given by 

5 

i 

T=£ K-Ifi-lai eq.17 

10 

where If i is a current flowing through the field winding 703i, lai is a current flowing through the armature 
winding 704i, and K is a proportion coefficient 
If all of If i are made constant, then 
15 where K' is a proportion coefficient equal to K x 



T=]T) iC'-Xai eg.18 

20 

If i. If tfi is entered, it is possible to make an operation similar to decision of majority (hereinafter referred to as 
the para-decision of majority). If value of each If i is made to proportion to the reliability of the input lai, a weighed 
para-decision of majority can be made as shown in Eq. 1 7. Fig. 42 depicts a circuit diagram illustrating a circuit 

25 for making the weighed para-decision of majority with use of the servo-motor system having the para-decision 
of majority in Figs. 40 and 41. The circuit shown in the figure are to provide the capabilities of the output selector 
circuit151 and the output unit 171 in Fig. 20. The same circuits are used for those of the output selector circuits 
152to 15Xand the output units 172to17X. Tothe armature windings 7041 to 7041 and the field windings 7031 
to 7031 are supplied currents in proportion to the signals 31-1 to 3m-1 and the selection control signals 41-1 

30 to 4m- 1 from the computer module modules 1101 to 110m through servo-amplifiers, respectively. Such a 
scheme can accomplish the decision of majority of the signals 31-1 to 3m-1 from the computer module modules 
1101 to 110m regarded normal by the selection control signals 41-1 to 4m-1. Further, the servo-amplifiers, 
the armature windings 7041 to 7041, and the field windings 7031 to 7031 can be multiplexed to prevent the 
system from malfunctioning due to difficulty of the servo-amplifiers or shortcircuit or break of the windings, 

35 thereby increasing the reliability of the servo-motor system. 

Also, the selection control signals 41-1 to 4m-1 can be multivalued corresponding the reliabilities of the 
computer modules, including the two values of on and off, to accomplish the weig hed para-decision of majority. 
Fig. 43 depicts a block diagram illustrating a system configuration in use for the servomotor systems. Such a 
system can be accomplished by replacing the output selector circuits 151 to 15X and the output units 171 to 

40 MX in Fig. 20 by the servo-motor systems 7001 to 700X, respectively. As described above, the embodiment 
has the advantage that the whole system configuration can be simplified, made small, and reduced in number 
of component parts to increase the reliability since the servo-motor systems can accomplish the features of 
the output selector circuits 151 to 15X and the output units 171 to 17X in Fig. 20. We can see that If i and lai 
in Eq. 17 can be exchanged for each other. Therefore, the same effect can be obtained even by supplying the 

45 current in proportion to the signals 31-1 to 3m-1 from the computer module modules 1101 to 110m to the field 
windings 7031 to 7031 and the selection control signals 41-1 to 4m-1 to the armature windings 7041 to 7041 , 
respectively. 

The embodiment of the present invention described above can increase the redundant resource process- 
ing performance and reliability since adequate number of redundant resources can be assigned according to 
so the reliable levels needed for the tasks. 

Further, by applying the present invention to the adaptive-control system, the embodiment can configurate 
the control system that can not only allow fault of the computer modules, but also the one of the controlled 
system. This advantage can increase the reliability of the whole control system. 

55 3. Diversities 

These embodiments are especially intending to materialize self-checking logics stated in chapter 1. 
Furthermore, by taking means called diversities as shown below, faults to be detected in any of at-least 
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dualized function blocks can be prevented from affecting the other function block, improving the said effec- 
tiveness of the embodiments. The method to materialize such the diversities to be explained below can be 
combined with the self-checking comparison circuit 217 provided by Japanese Patent Laid-Open 
No.27664/1994, which is described in the previous chapter, effectively to materialize a self-checking logical 
5 circuit or system. Of course, it can also be combined other technologies to build a high reliability system such 
as a self-checking system, fault tolerant system, fail-safe system, etc. 

(1) Design diversity 

10 The design diversity is a means effective to eliminate the influence of faults caused by designs. Especially, 

N-Version Programming for software is well known. The N- Version Programming is a method to execute N ver- 
sions of a program that are developed with the same specifications concurrently. Also in case of hardware, 
this design diversity can be materialized by developing circuits with the same specifications in N ways. Ac- 
cording to the method mentioned above, however, the number of processes and expenses are needed by N 

15 times that of an ordinary method for the design and development. It is not effective so much. 

To reduce the number of processes and expenses in designing hardware, therefore, the following method 
is taken in this invention. 

As shown in Figure 20, the main current to design modern hardware is using the HDL (Hardware Descrip- 
tion Language) first to create a file (logical description) 300 that describes the functions and specifications of 
20 the subject logical circuits and then creating another file (logical net list) 320 that describes the connections 
of the said logical circuits using a logical synthesis tool 310 on the basis of the logical description 300. In ad- 
dition, the said logical net list file 320 is converted to a (physical net list) file 340 that describes the wiring and 
layout of transistors on the actual semi-conductor chip using an auto wiring tool to create the necessary masks 
and manufacture semiconductor elements (350). 
25 In this case, the design constraints such as the delay time, occupation area, etc., as well as the subject 

algorithm can be changed for logical synthesis and automatic wiring to diversify the target logical net lists 320 
to 32N and physical net lists 340 to 34N as shown in Figure 21 . 

Thus, the said dualized function blocks A110 and B111 are materialized in the subject semi-conductor chip 
on the basis of the logical description of the said logical blocks by selecting 2 physical net lists from among 
30 the said diversified plural physical net lists. 

To select 2 physical net lists from among many, as shown in Figure 22, it is only needed to define a cor- 
relation function that indicates how much those physical net lists are resemble and find the correlation among 
them (procedure 360) and select a combination of the physical net lists (procedure 370) so that the correlation 
function may be minimized. In this case, fault characteristics of the semi-conductor must be affected in the 
35 correlation function. In general, wire intersection is pointed out as a weak point of semiconductors. At a wire 
intersection, two wires are separated only by a thin film oxide, so shortcircuits between wires and shorts such 
as crosstalk, etc. are apt to occur. Furthermore, since a wire crosses over the other wire at such a wire inter- 
section, the wire located at the difference of level is often cut off with stress. In other words, the status of the 
intersection between wires affects the fault characteristics of semiconductors. The correlation function in which 
40 the fault characteristics of the semi-conductor is affected can thus be defined as follows. 

[Formula 3] 

However, the <|>ijk must indicate whether an intersection exists between wiring nets and be defined as fol- 
45 lows. 

[Formula 4] 

(2) Time diversity 

50 

Faults that occurs due to electric noise, etc. in any of the said at-least dualized function blocks can be 
prevented from affecting the other function block even when both of the function blocks are designed in the 
same way, by delaying the timings of their operations individually. 

Figures 23, 24, and 25 show embodiments of a system to materialize such a time diversity. 
55 In the embodiment shown in Figure 23, only the clock signal 401 is entered to one B111 of the dualized function 
blocks through the delay circuit 420 that is set a delay time (T delay) to delay the operation timing. In this case, 
the output 431 from the function block B111 is delayed by a certain time of period (T delay) from the output 
430 from the function block A110. Thus, the output 430 from the function block A110 is delayed by a certain 
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time (T delay) using the delay circuit 421 so that outputs 430 and 431 are compared in the comparison circuit 
217. In this embodiment, since the function blocks A110 and B110 can be operated at different timings from 
each other, malfunctions to be caused by power noise, etc. can be prevented from occurring concurrently in 
both function blocks A11 0 and B1 1 0. This allows a perfect self-checking logic to be realized by dualizing a f unc- 

5 tion block and comparing outputs from both of the at-least dualized function blocks. 

When there are signals 410 and 411 to be entered the dualized function blocks A110 and B1 11, only the 
signal 401 may be entered to the function block B111 through the delay circuit 422 that is set a delay time (T 
delay) as shown in Figure 24. 

In this embodiment, any delay time (T delay) can be selected, but the delay time (T delay) should be as 

10 large as possible to minimize the correlation of faults between the function blocks A110 and B111. To speed 
up the operation and detection of faults, however, the delay time (T delay) should be as small as possible. In 
addition, to minimize the mutual influence of noise between the function blocks A110 and B111 considering 
that power noise in a digital circuit is generated in synchronization with clock signals, the delay time (T delay) 
should be set as follows. 

15 T delay = N + 1/2 [clock cycle] 

N=0, 1... 

To satisfy both items (influence by noise and operation speed) therefore, it is found that the most suitable 
delay time (T delay) is 1/2 [of the clock cycle]. 

Figure 25 shows an embodiment of this invention, in which the delay time (T delay) is set to 1/2 [of the 

20 clock cycle]. The original clock signal 403 that has a frequency double the clock signals 400 and 401 of the 
dualized function blocks A110 and B111 is divided in the flip-flop 441 to become clock signals 400 and 401 
whose phases are shifted by 180°, that is, 1/2 [of the clock cycle], from each other. They are then entered to 
the function blocks A110 and B111 separately. Input signals INsync and INasync are entered to the function 
block A110 without delay. They are then entered to the function block B111 after they are delayed by 1/2 [of 

25 the clock cycle] in the flip-flops 444 and 445 (equivalent to the delay circuit 422). The input signal INsync is 
synchronized with the clock signal 400. The input signal INasync is not synchronized with the clock signal 400. 
In other words, it is an asynchronous input signal. The INasync signal is synchronized with the clock signal 
400 in the flip-flop circuits 442 and 443. The output 430 from the function block A110 is delayed by 1/2 [of the 
clock cycle] in the flip-flop circuit 446 (equivalent to the delay circuit 421) and compared with the output 431 

30 from the function block B111 in the comparison circuit 217. 

(3) Space diversity 

When one of the dualized function blocks is separated away from the other, it becomes possible to prevent 
35 temporary faults to occur in one of dualized function blocks due to electrical noise, cosmic rays, radiation, etc., 
as well as due to the damage of the subject semi-conductor chip from affecting the other. When a function 
block is dualized in a chip as A110 and B111 and each is checked by itself, the dualized function blocks A110 
and B111 should be arranged in the same direction and in the same pattern as shown in Figure 26 to maximize 
the effectiveness of the space diversity. The corresponding sections of the dualized function blocks can thus 
40 have the same distance. As a result, it can be prevented that the said corresponding sections of the dualized 
function blocks come close excessively to each other to deteriorate the said effectiveness of the space diver- 
sity. 

In this embodiment, the comparison circuits 30 to 3n used to compare outputs, the area 0 (200) comprising 
an integrator circuit 5, orthogonal waveform generator circuits 1 00 and 1 01 , penmutors 80 to 8n and 90 to 9n, 

45 latches 120 and 121 are arranged symmetrically so that their wirings may become short-cut and wiring inter- 
sections may be reduced to ensure the continuity. In such the symmetrical arrangement of circuits, the outputs 
a0' - an' and b0' - bn' from the function blocks A11 0 and B1 11 come most closely in the area 0 (200). However, 
since each orthogonal waveform is placed on another to eliminate the correlation between the waveforms, 
faults by short, etc. can be prevented. According to this embodiment, the effectiveness of the space diversity 

so can be applied to isolate faults in one of dualized function blocks from the other for securing the wiring con- 
tinuity, improving the self-checking performance (fault detection rate and detection coverage) to realize small- 
sized self-checking logical circuits. 

This invention can provide a new method that assures the said fail-safe function even to cope with false 
sig nature to be caused by a short No special constraint is needed to materialize failsafe logic circuits according 

55 to this invention. In addition, existing semi-conductor technologies, design automation tools, etc. can also be 
used effectively to reduce the cost and time of development signif icantly. 
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Claims 

1 . A logic circuit having error detection function for detecting an error by way of comparing signals output of 
at least duplexed function blocks, comprising: 

synthesizing means provided to superimpose inherent waveforms assigned in advance to the re- 
spective function blocks ont one or both of the signals output of the duplexed function blocks, 

thereby detecting the error on the bases of a signal or signals output of the synthesizing means. 

2. The logic circuit having error detection function according to claim 1 wherein the synthesizing means in- 
cludes waveform generating means for generating the inherent waveforms assigned in advance to the 
respective function blocks and logic operation means for exclusive-OR operation of the generated inher- 
ent waveform and the output signals of the function blocks. 

3. The logic circuit having error detection function according to claim 1 wherein each of the function blocks 
feeds out a plurality of signals, and the synthesizing means superimposes the inherent waveforms as- 
signed in advance to the respective function blocks onto the signals output of the function blocks, thereby 
detecting the error, and signals output of the synthesizing means are compared with the signals output 
of the other function block, thereby detecting the error. 

4. The logic circuit having error detection function according to claim 3 wherein the synthesizing means in- 
cludes waveform generating means for generating the inherent waveforms assigned in advance to the 
respective output signals and logic operation means for exclusive-OR operation of the generated inherent 
waveform and the output signal of the one function block. 

5. The logic circuit having error detection function according to claim 3 wherein the inherent waveforms as- 
signed in advance to the respective output signals are waveforms that are not correlated to one another. 

6. The logic circuit having error detection function according to claim 3 wherein the inherent waveforms as- 
signed in advance to the respective output signals are waveforms that are orthogonal to one another. 

7. A logic circuit having error detection function that has function blocks of feeding out a plurality of signals 
at least duplexed and has comparison means for comparing signals output of the function blocks and that 
detects an error on the basis of results of the comparison, comprising: 

f irst synthesizing means provided to superimpose inherent waveforms assigned in advance to the 
respective output signals of the function blocks onto the output signals of one of the function blocks; 

second synthesizing means provided to superimpose inherent waveforms assigned in advance to 
the respective output signals of the function blocks onto the output signals of the other function blocks; 
and comparison means for comparing a signal output of the first synthesizing means with a signal output 
of the second synthesizing means, thereby detecting the error. 

8. An error detecting method for detecting an error by way of comparing a plurality of signals output of du- 
plexed function blocks, comprising: 

a step of superimposing inherent waveforms assigned in advance to the respective output signals 
onto the output signals of one of the duplexed function blocks; and a step of comparing signal outputs of 
the other of the duplexed function blocks with signals having the inherent waveforms superimposed , 
thereby detecting the error. 

9. The error detecting method according to claim 8 wherein the inherent waveforms are superimposed in a 
way that exclusive-OR operation is made of the output signals of the one of the duplexed function blocks 
and the inherent waveforms assigned in advance to the respective output signals. 

10. An error detecting method for detecting an error by way of comparing a plurality of signals output of du- 
plexed function blocks, comprising: 

a step of comparing signal outputs of the other of the duplexed function blocks with signals having 
the inherent waveforms superimposed to detect the error, and a step of judging the error if the comparison 
results in obtaining a waveform other than the inherent waveforms assigned in advance or if the compar- 
ison results in not obtaining the inherent waveforms assigned in advance. 

11. A logic circuit having error detection function, comprising: a first circuit having at least a CPU, an interrupt 
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controller, and a timer for generating a plurality of output signals; a second circuit having the same features 
as the first circuit; and a comparison circuitfor comparing the signals output of the first and second circuits; 

wherein the first and second circuits have first and second synthesizing means provided therein 
respectively to superimpose inherent waveforms assigned in advance to the plurality of respective output 
signals onto the plurality of the output signals/and the first and second circuits and the comparison circuit 
are arranged in respectively individual chips. 

12. A fault tolerant system, comprising : a first and second computers that has function blocks of feeding out 
a plurality of signals at least duplexed, has synthesizing means provided to superimpose inherent wave- 
forms assigned in advance to the respective output signals of the function blocks onto the output signals 
of one of the function blocks, and compares the signal output of the synthesizing means with a signal out- 
put of the other function b!ock,thereby detecting an error ; a switching control circuit for selecting either 
one of the signals output of the first and second computers before feeding the signal out; 

wherein the switching control circuit select the signal output of any one of the first and second com- 
puters on the basis of error detection signals output of the first and second computers. 

13. A distributed fault tolerant system having a plurality of computer modules assigned to execute a plurality 
of tasks, comprising: 

selection and execution means that if fault occurs in any of the computer modules of the system, 
selects at least one of the computer modules having the tasks assigned thereto other than the task that 
the broken computer module, assigns to the selected computer module the task that the broken computer 
module has executed, and makes the selected computer module execute the task. 

14. A distributed fault tolerant system having a plurality of computer modules assigned to execute a plurality 
of tasks, comprising: 

selection and execution means that while all the computer modules of the system execute the re- 
spective tasks having respective specif ic tolerances in advance, if fault occurs in any of the computer mod- 
ules of the system, selects at least one of the computer modules having the tasks assigned thereto other 
than the task that the broken computer module, assigns to the selected computer module the task that 
the broken computer module has executed, and makes the selected computer module execute the task. 

15. The distributed fault tolerant system according to claim 13 wherein the selection and execution means 
decides a computer module to be selected from among the other computer modules having the different 
tasks assigned thereto on the bases of importance of the tasks executed in the system. 

16. The distributed fault tolerant system according to claim 15 wherein the selection and execution means is 
owned by each of the plurality of computer modules. 

17. The distributed fault tolerant system according to claim 16 wherein each of the computer modules has 
communication control means that is capable of mutually sending situation information of the fault having 
occurred in the own computer module to the other computer modules. 

1 8. Adistributed fault tolerant system having a plurality of redundant computer modules assigned to a plurality 
of tasks to execute, comprising: task assig ning means for changing number of the computer modules exe- 
cuting the tasks on the basis of number of normal ones of the compute modules and importance of the 
tasks. 

19- A method of redundant resource management in a distributed fault tolerant system having a plurality of 
redundant computer modules assigned to a plurality of tasks to execute, comprising: 

a step of changing number of computer modules redundantly executing the tasks on the basis of 
number of normal ones of the computer modules and importance of the tasks. 

20. The method of redundant resource management according to claim 1 9 wherein if the number of the normal 
computer modules is decreased by occurrence of fault, the number of the computer modules redundantly 
executing the tasks is decreased and as tasks are high in the importance, the number of the computer 
modules assigned to the tasks is much. 

21. The method of redundant resource management according to claim 19 wherein an evaluation function is 
calculated for each of the tasks on the bases of a fault detection situation in each of the computer modules 
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executing redundantly and if there is a first task having the evaluation function decreased, the computer 
module executing a second task having higher evaluation function is made to execute the first task. 

22. The method of redundant resource management according to claim 21 wherein all the computer modules 
calculate the evaluation functions for the respective tasks and when there is the first task having the eval- 
uation function decreased if a value of the evaluation function of the second task executed i the own com- 
puter module is higher than the first task, the computer module halts execution of the second task by 
judgement itself before executing the first task. 

23. The method of redundant resource management according to claim 1 9 wherein each of the computer mod- 
ules reports to the other computers its task number in execution and fault occurrence information, esti- 
mates reliabilities of the tasks on the basis of the fault occurrence information reported from the other 
computer modules, decides in which task of redundant formation the own computer module should par- 
ticipate, and if the task to participate is different form the one in current execution switching is made from 
the task in current execution to the task to participate. 

24. The method of redundant resource management according to claim 22 wherein Fij represents the eval- 
uation function for the computer module i where i is 1 to N, which is number of the computer modules, 
and is defined as 

Fij = Lrj - Lthij 

where Lthij is a threshold value of a reliability level of task j in the computer module i, Lrj is a reli- 
ability level of task j, i is an own computer module number, and is a task number and task j for minimizing 
the evaluation function Fij is decided as a process to execute. 

25. The method of redundant resource management according to claim 22 wherein Fij represents the eval- 
uation function for the computer module i where i is 1 to N, which is number of the computer modules, 
and is defined as 

Fij = Lij/Lthij 

where Lthij is a threshold value of a reliability level of task j in the computer module i, Lrj is a reli- 
ability level of task j, i is an own computer module number, and j is a task number, and task j for minimizing 
the evaluation function Fij is decided as a process to execute. 

26. The method of redundant resource management according to claim 22 wherein Fij represents the eval- 
uation function for the computer module i where i is 1 to N, which is number of the computer modules, 
and is defined as 

Fij = Log{(1 - Lthij)/Pej} 
where Lthij is a threshold value of a reliability level of task j in the computer module i, Pej is a prob- 
ability of wrong calculation results of task j, i is an own computer module number, and j is a task number, 
and task j for minimizing the evaluation function Fij is decided as a process to execute. 

27. The method of redundant resource management according to claim 24 wherein in deciding task j for min- 
imizing the evaluation function Fij, task j is decided as a task to participate if the evaluation function Fij 
meets 

Fij < Fik - 8 

where k is a currently executed task number and 8 is a width of dead-zone. 

28. The method of redundant resource management according to claim 24 wherein the reliability level Lrj de- 
creases with time in occurrence of fault 

29. The method of redundant resource management according to claim 24 wherein the reliability level Lrj is 
set as a motion average of the reliability level of task j for evey unit of time. 

30. An adaptive-control system, comprising: aa status viewer for estimating an internal status of a controlled 
system; a regulator for generating a control signal fed to the controlled system; a system identifier for 
identifying characteristics of the controlled system; an optimum regulator setting section for deciding op- 
timum control parameters for the controlled system on the basis of results of the system identifier; and 
a task controller having task 1 defined as a process to be executed by the regulator, having task 2 defined 
as a process to be executed by the system identifier and the optimum regulator setting section, having 
importance of task 1 set higher than that off task 2, having tasks 1 and 2 assigned to a plurality of computer 
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modules, and having the tasks rearranged depending on the importance of the tasks if any of the pluraiity 
of computer modules breaks down. 

31. A redundant logic circuit or system that has function blocks provided with an identicl function and at least 
dualized, wherein when an automatic logic synthesis or automatic wiring is done for the said at-least dual- 
ized function blocks, N ways (n: 2 or greater integer) of logic or wiring patterns are generated according 
to the design constraint that is changed as needed and at least 2 ways of logic or wiring patterns are se- 
lected from the generated ones according to the description of the hardware description language. 

32. The redundant logic circuit or system described in Claim 31 , wherein at least 2 ways of logic or wiring pat- 
terns are selected from the N ways of logic or wiring patterns generated according to the design constraint 
that is changed as needed so that the correlation function may be minimized, to assume the said at least 
dualized function blocks. 

33. The redundant logic circuit or system described in Claim 32, wherein the said correlation function is de- 
fined so that the status of the wiring net intersection may be affected in the correlation function. 

34. The redundant logic circuit or system described in Claim 32 or 33, wherein the said correlation function 
is defined as follows, 

[Equation 1] 

m n 

i-i j=i 

where, however, 4>ijk must represent whether or not an intersection exists between wiring nets and be 
defined as follows, 

[Equation 2] 

< t ) iii^ 0: no intersection « wiringnets i A j 

1: an intersection existing o wiring nets i A j 



35. A fail-safe logic circuit or system that has f u notion blocks provided with an identical function and at least 
dualized and outputs an output to external only when all the outputs from the said function blocks match 
and stops the output or outputs an output to external to guarantee the safe side operation when the outputs 
from the said function blocks do not match , wherein when an automatic logic synthesis or automatic wiring 
is done for the said at-least dualized function blocks, N ways (n: 2 or greater integer) of logic or wiring 
patterns are generated according to the design constraint that is changed as needed and at least 2 ways 
of logic or wiring patterns are selected from the generated ones according to the description of the hard- 
ware description language. 

36. The fail-safe logic circuit or system described in Claim 35, wherein at least 2 ways of logic or wiring pat- 
terns are selected from the N ways of logic or wiring patterns generated according to the design constraint 
that is changed as needed so that the correlation function may be minimized, to assume the said atleast 
dualized function blocks. 

37. The fail-safe logic circuit or system described in Claim 36, wherein the said correlation function is defined 
so that the status of the wiring net intersection may be affected in the correlation function. 

38. The fail-safe logic circuit or system described in Claim 36 or 37, Wherein the said correlation function is 
def ined as follows, 
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m n 

where, however, <frijk must represent whether or not an intersection exists between wiring nets arid 
be defined as follows, 

[Equation 2] 

0 : no wiring nets ±j Intersecting 
• H>ij*-\ l: wiring nets Xj intersecting e <7- 2 



39. A logical circuit or system with fault detecting function, which has function blocks provided with an identical 
function and at least dualized and can detect faults in the said function blocks, wherein comparing the 
outputs from the said function blocks, and wherein, when an automatic logic synthesis or automatic wiring 
is done for the said at-least dualized function blocks, N ways (n: 2 or greater integer) of logic or wiring 
patterns are generated according to the design constraint that is changed as needed and at least 2 ways 
of logic or wiring patterns are selected from the generated ones according to the description of the hard- 
ware description language, to assume the said at-least dualized function blocks. 

40. The logical circuit or system with fault detecting function described in Claim 39, wherein at least 2 ways 
of logic or wiring patterns are selected from the N ways of logic or wiring patterns generated according 
to the design constraint that is changed as needed so that the correlation function may be minimized, to 
assume the said at-least dualized function blocks. 

41. The logical circuit or system with fault detecting function described in Claim 40, wherein the said corre- 
lation function is defined so that the status of the wiring net intersection may be affected in the correlation 
function. 

42. The logical circuit or system with fault detecting function described in Claim 40 or 41, wherein the said 
correlation function is defined as follows, 

[Equation 1] 



jn n 



where, however, 4djk must represent whether or not an intersection exists between wiring nets and be 
defined as follows, 

[Equation 2] 

0: no wiring nets dj intersecting 
vijk-\ i; wiring nets ±j intersecting eg ' 2 

43. A redundant logical circuit or system that has function blocks provided with an identical function and at 
least dualized, wherein the operations of the said at least dualized function blocks are delayed by a certain 
time of period (T delay) respectively. 
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44. A redundant logical circuit or system that has function blocks provided with an identical function and at 
least dualized, wherein the signal or clock to be entered to the first function block of the said at-least dual- 
ized function blocks is delayed by a certain time of period (T delay), and the signal to be output from the 
second function block is delayed by a certain time of period (T delay) and compared with the output from 
the first function block. 

45. The redundant logical circuit or system described in Claims 43 and 44, wherein the said T delay value is 
an odd multiple of the half-cycle of the clock. 

46. A fail-safe logic circuit or system that has function blocks provided with an identical function and at least 
dualized and outputs an output to external only when all the outputs from the said function blocks match 
and stops the output or outputs an output to external to guarantee the safe side operation when the outputs 
from the said function blocks do not match, wherein the operations of the said at-least dualized function 
blocks are delayed by a certain time of period (T delay) respectively. 

47. A fail-safe logic circuit or system that has function blocks provided with an identical function and at least 
dualized and outputs an output to external only when all the outputs from the said function blocks match 
and stops the output or outputs an output to external to guarantee the safe side operation when the outputs 
from the said function blocks do not match, wherein the signal or clock to be entered to the first function 
block of the said at least dualized function blocks is delayed by a certain time of period (T delay), and the 
signal to be output from the second function block is delayed by a certain time of period (T delay) and 
compared with the output from the first function block. 

48. The fail-safe logic circuit or system described in Claims 46 and 47, wherein the said T delay value is an 
odd multiple of the half-cycle of the clock. 

49. A logical circuit or system with fault detecting function, which has function blocks provided with an identical 
function and at least dualized and can detect faults in the said at-least dualized function blocks by com- 
paring the outputs from both of the said at-least dualized function blocks, wherein the operations of the 
said at-least dualized function blocks are delayed by a certain time of period (T delay) respectively. 

50. A logical circuit or system with fault detecting function, which has function blocks provided with an identical 
function and at least dualized and can detect faults in the said function blocks by comparing the outputs 
from both of the said at-least dualized function blocks, wherein the signal or clock to be entered to the 
first function block of the said at-least dualized function blocks is delayed by a certain time of period (T 
delay), and the signal to be output from the second function block is delayed by a certain time of period 
(T delay) and compared with the output from the first function block. 

51. A logical circuit or system with fault detecting function described in Claims 49 and 50, wherein the said T 
delay value is an odd multiple of the half-cycle of the clock. 

52. Afault tolerant system provided with the first and second circuits comprising the redundant logical circuit 
described in Claim 31 , 43, or 44, or the fail-safe logical circuit described in Claim 35, 47, or 48, or the 
logical circuit with fault detecting function described in Claim 39, 49 or 50, and a switching circuit that se- 
lects and outputs the output of either the said first circuit or the second circuit, wherein the said switching 
circuit selects the output according to the error detection signal from the said first or second logical circuit 
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